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Abstract. We consider two-party quantum protocols starting with a transmission of some random 
BB84 qubits followed by classical messages. We show a general "compiler" improving the security 
of such protocols: if the original protocol is secure against an "almost honest" adversary, then the 
compiled protocol is secure against an arbitrary computationally bounded (quantum) adversary. 
The compilation preserves the number of qubits sent and the number of rounds up to a constant 
factor. The compiler also preserves security in the bounded-quantum-storage model (BQSM), so 
if the original protocol was BQSM-secure, the compiled protocol can only be broken by an adver- 
sary who has large quantum memory and large computing power. This is in contrast to known 
BQSM-secure protocols, where security breaks down completely if the adversary has larger quan- 
tum memory than expected. We show how our technique can be applied to quantum identification 
and oblivious transfer protocols. 



1 Introduction 

We consider two-party quantum protocols for mutually distrusting players Alice and Bob. Such 
protocols typically start by Alice sending n random BB84 qubits to Bob who is supposed to 
measure them. Then some classical exchange of messages follows. Several protocols following 
this pattern have been proposed, implementing Oblivious Transfer (OT), Commitment, and 
Password-Based Identification [BBCS91,DFSS08,DFR+07,DFSS07]. 

In more details, the first step of the protocol consists of Alice choosing random binary strings 
X = xi, ...,Xn and 9 = 9i, ...,9n- She then prepares n particles where Xi is encoded in the state 
of the z'th particle using basis 9i. Bob chooses a basis string 9 = 9i, .., 9n and measures the i'th 
particle in basis 9i. If Bob plays honestly, he learns Xi whenever 9i = 9i and else gets a random 
independent result. 

Protocols of the form we consider here are typically unconditionally secure against cheating 
by Alice, but can (in their basic form) be broken easily by Bob, if he does not measure the qubits 
immediately. This is because the protocol typically asks Alice to reveal 9 at a later stage, and 
Bob can then measure the qubits with 9 = 9 and learn more information than he was supposed 
to. 

In this paper, we show a general "compiler" that can be used to improve security against 
such an attack. We assume that the original protocol implements some two-party functionality 
with statistical security against Bob if he is benign, meaning that he treats the qubits "almost 
honestly", a notion we make more precise below. Then we show that the compiled protocol 
also implements but now with security against any computationally bounded (quantum) 
Bob (note that we cannot in general obtain unconditional security against both Alice and Bob, 
not even using quantum communication [Lo97]). The compiled protocol preserves unconditional 
security against Alice and has the same number of transmitted qubits and rounds as the original 
one up to a constant factor. 

By benign behavior of Bob, we mean that after having received the qubits, two conditions 
are satisfied: First, Bob's quantum storage is essentially of size zero (note that it would be 



exactly zero if he had measured the qubits). Second, there exists a basis string 6 such that the 
uncertainty about x is essentially as it would be if Bob had really measured in bases 6, namely 
1 bit for every position where 6 differs from 9. 

Thus, with our compiler, one can build a protocol for any two-party functionality by de- 
signing a protocol that only has to be secure if Bob is benign. We note that proofs for known 
protocols typically go through under this assumption. For instance, our compiler can easily be 
applied to the quantum identification protocols of [DFSS07] and the OT protocol of [BBCS91]. 

The compiler is based on a computational assumption; namely we assume the existence 
of a classical commitment scheme with some special properties, similar to the commitment 
schemes used in [DFS04] but with an additional extraction property, secure against a quantum 
adversary. A good candidate is the cryptosystem of Regev [Reg05]. For efficiency, we use a 
common reference string which allows us to use Regev's scheme in a simple way and, since it 
is relatively efficient, we get a protocol that is potentially practical. It is possible to generate 
the reference string from scratch, but this requires a more complicated non-constant round 
protocol [DL09]. 

The reader may ask whether it is really interesting to improve the security of quantum 
protocols for classical tasks such as identification or OT using a computational assumption. 
Perhaps it would be a more practical approach to use the same assumption to build classical 
protocols for the same tasks, secure against quantum attacks? To answer this, it is important 
to point out that our compiler also preserves security in the bounded-quantum-storage model 
(BQSM) [DFSS05], and this feature allows us to get security properties that classical protocols 
cannot achieve. In the BQSM, one assumes that Bob can only keep in his quantum memory a 
limited number of qubits received from Alice. With current state of the art, it is much easier 
to transmit and measure qubits than it is to store them for a non-negligible time, suggesting 
that the BQSM and the subsequently proposed noisy-quantum-storage model [WST08] are 
reasonable. On the other hand, if the assumption fails and the adversary can perfectly store all 
qubits sent, the known protocols can be easily broken. In contrast, by applying our compiler, 
one obtains new protocols where the adversary must have large quantum storage and large 
computing power to break the protocol.^ ^ 

The basic technique we use to construct the compiler was already suggested in connection 
with the first quantum OT protocol from [BBCS91]: we try to force Bob to measure by asking 
him to commit (using a classical scheme) to all his basis choices and measurement results, and 
open some of them later. While classical intuition suggests that the commitments should force 
Bob to measure (almost) all the qubits, it has proved very tricky to show that the approach re- 
ally works against a quantum adversary. In fact, it was previously very unclear what exactly the 
commit-and-open approach forces Bob to do. Although some partial results for OT have been 
shown [Yao95,CDMS04], the original OT protocol from [BBCS91] has never been proved secure 
for a concrete unconditionally hiding commitment scheme - which is needed to maintain uncon- 
ditional security against Alice. In this paper, we develop new quantum information-theoretic 
tools (that may be of independent interest) to characterize what commit-and-open achieves in 
general, namely it forces Bob to be benign. This property allows us to apply the compiler to 
any two-party functionality and in particular to show that the OT from [BBCS91] is indeed 
secure when using an appropriate commitment scheme. 



* For the case of ideiitificatioii[DFSS07], the compiled protocol is not only secure against adversaries trying to 
impersonate Alice or Bob, but can also be made secure against man-in-the-middle attacks, where again the 
adversary must have large quantum storage and large computing power to break the protocol. 

® One may try to achieve the same security by combining one of the previous BQSM secure protocols with a 
computationally secure classical protocol, but it is not clear that this technique will work for all functional- 
ities, and it would require independent key material for the two instances. For the case of password-based 
identification it would require users to have two passwords. 
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2 Preliminaries 



We assume the reader to be familiar with the basic notation and concepts of quantum infor- 
mation processing [NCOO]. In this paper, the computational or + -basis is defined by the pair 
{|0),|1)} (also written as {|0)_,_, |1)^}). The pair {|0)^,|l)x} denotes the diagonal or x-basis, 
where |0)^ = (|0) + |1))/V^ and = (|0) - |l))/\/2. We write \x)g = \xi)g^® ■ ■ ■ ®\xn)g^ for 
the n-qubit state where string x = {xi, . . . , x„) G {0, l}" is encoded in bases 6* = (6'i, . . . , On) G 
{-I-, x}". For 5 C {1, . . . , n} of size s, we denote by 5 := {1, . . . , n}\S the complement of S 
and define x\s G {0,1}* and G {+, x}^ to be the restrictions and {Oiji^s^ respec- 

tively. For two strings x,y G {0,1}", we define the Hamming distance between x and y as 
dH{x,y) ■■= \{i : Xi / yi}\. 

We use upper case letters for the random variables in the proofs that describe the respective 
values in the protocol. Given a bipartite quantum state pxE, we say that X is classical if pxE 
is of the form pxE = Sx-gA" Pxix)\x){x\ ® p'j^ for a probability distribution Px over a finite set 
X, i.e. the state of the quantum register E depends on the classical random variable X in the 
sense that E is in state p^ exactly if X = x. This naturally extends to states with two or more 
classical registers. 

For a state pxE as above, X is independent of register E if pxE = Px Pe, where px = 
X^o; -^-^(^)I^X^I ~ ^xi^)PE- ^6ed to express that a random variable X is 

independent of a quantum state E when given a random variable Y. Independence means that 
when given Y, the state E gives no additional information on X. Formally, adopting the notion 
introduced in [DFSS07], we require that pxYE equals px^Yt-iE, where the latter is defined as 

px^^Y^E •■= ^ Pxy{x, y)\x){x\ (g) \y){y\ (g) , 

where p^^ := J2x Px\Y{x\y)p''^''^ . In other words, pxYE = px^Y^E precisely if p^^ = for all 
X and y. 

Full (conditional) independence is often too strong a requirement, and it usually suffices to 
be "close" to such a situation. Closeness of two states p and a is measured in terms of their 
trace distance 5{p,a) = ^tr(|p — cr|), where for any operator A, \A\ is defined as \ A\ := V AA^ . 

A quantum algorithm consists of a family {C„}„gN of quantum circuits and is said to run in 
polynomial time, if the number of gates of Cn is polynomial in n. Two families of quantum states 
{Pn}neN and {an}neN are called quantum- computationally indistinguishable, denoted p ^ a, ii 
any polynomial-time quantum algorithm has negligible advantage (in n) of distinguishing p„ 
from an- Analogously, we call them statistically indistinguishable, p m a, ii their trace distance 
SiPnjCTn) is negligible in n. 

Definition 2.1 (Min-Entropy). The min-entropy of a random variable X with probability 
distribution Px is defined as H^{X) := — log(max;^ Px(2;)) ■ 

Definition 2.2 (Max-Entropy). The max-entropy of a density matrix p is defined as Ho{p) := 
log (rank (p)) . 

We will make use of the following properties of a pure state that can be written as a "small 
superposition" of basis vectors. 

Lemma 2.3. Let \(pae) € "Ha "He be of the form \(Pae) = YlieJ '^^\'^)\'^^e) ' where {|z)}jg/ is 
a basis of Ha o,nd J C. I. Then, the following holds. 

1. Let pAE = X^iej 'g' IVeXv'eI' ^ ^'^'^ ^ outcome of measuring A of 

IfAE) respectively of pAE in some basis {\w)}wew- Then,^ 

H^{W)>H^{W)-\og\J\. 

^ Using Renner's definition for conditional min-entropy [Ren05], one can actually show that HaoiW\E) > 
H^{W\E)-loe\J\. 
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2. The reduced density matrix pE = ^^a{\'{>ae){'^ae\) has max-entropy 



Ho{pE)<log\J\. 

Proof. For 1., we may understand pAE as being in state with probabihty |aip, so that 

we easily see that 
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where the inequahty is Cauchy-Schwartz. This proves 1. 

For 2., note that pE = trA{\ipAE){^AE\) = X^^gj IctiPl'^fiX'^El- '^^^ claim follows immedi- 
ately from the sub-additivity of the rank: 

rank(pB) < J] rankda^l^^sX^^'sD < ^ 1 = | J| , 



where we use that the |¥'e)(¥'£;|'s have rank at most 1. 
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3 Definition of Security 

In order to define security of our two-party protocols, we follow the framework put forward by 
Fehr and Schaffner in [FS09]. We are interested in quantum protocols that implement classical 
functionalities such as oblivious transfer. Such primitives are often used as building blocks in 
more complicated classical (multi-party) protocols which implement advanced tasks. Therefore, 
it is natural to restrict our focus on quantum protocols that run in a classical environment 
and have classical in- and outputs. A two-party quantum protocol 77 = (A^, B^) consists of 
an infinite family of interactive quantum circuits for players Alice and Bob indexed by the 
security parameter m (in our case, m will also be the number of qubits transmitted). To ease 
notation, wc often leave the dependence on m implicit. A classical non-reactive two-party ideal 
functionality T is given by a conditional probability distribution Pj^{[jy)\ijv i inducing a pair of 
random variables (X, Y) = T(U, V) for every joint distribution of U and V. The definition of 
correctness of a protocol is straightforward. 

Definition 3.1 (Correctness). A protocol U = (A, B) correctly implements an ideal classical 
functionality T , if for every distribution of the input values U and V, the resulting common 
output satisfies 

{U,V,iX,Y))ii{U,V,J^iU,V)). 
Let us denote by out-^ - the joint output^ of the "ideal-life" protocol, where Alice and Bob 

A,D 

forward their inputs to and output whatever they obtain from JT. And we write out^^^ for 

the joint output of the execution of this protocol with a dishonest Bob with strategy B' (and 
similarly for a dishonest Alice). Note that Bob's possibilities in the ideal world are very limited: 
he can produce some classical input V for T from his input quantum state y', and then he can 
prepare and output a quantum state Y' which might depend on .F's classical reply Y . 

^ We use a slightly different notation here than in [FS09]. Our notation out^^ does not mention the name of 
the input registers and corresponds to (JF^ s)puv in [FS09]. 
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3.1 Information-Theoretic Security 

We define information-theoretic security using the real/ideal- world paradigm, which requires 
that by attacking a protocol in the real world the dishonest party cannot achieve (significantly) 

more than when attacking the corresponding functionality in the ideal world. To be consistent 
with the framework used in [FS09], wc restrict the joint input state, consisting of a classical 
input to the honest party and a possibly quantum input to the dishonest party, to a special 
form: in case of a dishonest Bob (and correspondingly for a dishonest Alice), we require that 
Bob's input consists of a classical part Z and a quantum part V , such that the joint state puzv 
satisfies puzv = Pu^z^v, i-e-, that V' is correlated with Alice's input only via the classical Z. 
We call a joint input state of that form (respectively of the form pu'zv = Pu'^z^v i^i case of 
dishonest Alice) a legitimate input state. As shown in [FS09], this restriction on the input state 
leads to a meaningful security definition with a composition theorem that guarantees sequential 
composition within classical outer protocols. Furthermore, the results of Section 4 also hold 
when quantifying over all (possibly non-legitimate) joint input states. 

Definition 3.2 (Unconditional security against dishonest Alice). A protocol U = (A, B) 
implements an ideal classical functionality T unconditionally securely against dishonest Alice, 
if for any real-world adversary A' there exists an ideal-world adversary A' such that for any 
legitimate input state, it holds that the outputs in the real and ideal world are statistically 
indistinguishable, i.e. 

out^, Q ^ outf, ^ . 

Definition 3.3 (Unconditional security against dishonest Bob). A protocol 11 = (A, B) 
implements an ideal classical functionality T unconditionally securely against dishonest Bob, 
if for any real-world adversary B' there exists an ideal-world adversary B' such that for any 
legitimate input state, it holds that the outputs in the real and ideal world are statistically 
indistinguishable, i. e. 

out^Q, out J . 

It has been shown in Theorem 5.1 in [FS09] that protocols fulfilling the above definitions 
compose sequentially as follows. For a classical real-life protocol U which makes at most k oracle 
calls to functionalities . . . , .T^;, it is guaranteed that whatever output U produces, the output 
produced when the oracle calls are replaced by £-secure protocols is at distance at most 0{ke). 

Notice that in the definitions above, we do not require the running time of ideal-world ad- 
versaries to be polynomial whenever the real-life adversaries run in polynomial time. This way 
of defining unconditional security can lead to the (unwanted) effect that unconditional security 
does not necessarily imply computational security. However, for the security of the construc- 
tion proposed in this paper, efficient ideal-life adversaries can be guaranteed, as discussed in 
Section 5.3. 

3.2 Computational Security in the CRS Model 

One can define security against a computationally bounded dishonest Bob analogously to 
information-theoretic security with the two differences that the input given to the parties has 
to be sampled by an efficient quantum algorithm and that the output states should be compu- 
tationally indistinguishable. 

In the common-reference-string (CRS) model, all participants in the real-life protocol -/Ia,b 
have access to a classical public string u> which is chosen before any interaction starts according 
to a distribution only depending on the security parameter. On the other hand, the participants 
in the "ideal-life" protocol J-p^ g interacting only with the ideal functionality do not make use 

of the string uj. Hence, an ideal-world adversary B', that operates by simulating the real world 
to the adversary B', is free to choose uo in any way he wishes. 
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In order to define computational security against a dishonest Bob in the CRS model, we 
consider a polynomial-size quantum circuit, called input sampler, which takes as input the 
security parameter m and the CRS u (chosen according to its distribution) and produces the 
input state puzv'] U is Alice's classical input to the protocol, and Z and V' denote the respective 
classical and quantum information given to dishonest Bob. We call the input sampler legitimate 
if Puzv = pu^z^v- 

In the following and throughout the article, we let Spoiy be the family of all polynomial-time 
quantum strategies for dishonest Bob B'. 

Definition 3.4 (Computational security against dishonest Bob). A protocol 11 = (A, B) 
implements an ideal classical functionality T computationally securely against dishonest Bob, if 
for any real-world adversary B' G 53poiy who has access to the common reference string u, there 
exists an ideal-world adversary B' G S-poiy not using uj such that for any efficient legitimate 
input sampler, it holds that the outputs in the real and ideal world are q-indistinguishable, i.e. 

OUt^Q, & outf^^, . 

In Appendix A, wc show that also the computational security definition, as given here, allows 
for (sequential) composition of quantum protocols into classical outer protocols. 

4 Improving the Security via Commit-and-Open 
4.1 Security against Benign Bob 

In this paper, we consider quantum two-party protocols that follow a particular but very typical 
construction design. These protocols consist of two phases, called preparation and post-processing 
phase, and are as specified in Figure 1. We call a protocol that follows this construction design 
a BB84-type protocol. 



Protocol n 

Preparation: A chooses x €r {0, 1}" and 6 €r {+, x}" and sends \x)g to B, and B chooses 6 €r {+, x}' 

and obtains x G {0, 1}" by measuring \x)g in basis 6. 
Post-processing: Arbitrary classical communication and local computations. 



Fig. 1. Generic BB84-type quantum protocol 77. 

The following definition captures information-theoretic security against a somewhat mildly 
dishonest Bob who we call a benign (dishonest) Bob. Such a dishonest Bob is benign in that, 
in the preparation phase, he does not deviate too much from what he is supposed to do; in the 
post-processing phase though, he may be arbitrarily dishonest. 

To make this description formal, we fix an arbitrary choice of 9 and an arbitrary value for the 
classical information, z, which B' may obtain as a result of the preparation phase (i.e. z = {9,x) 
in case B' is actually honest). Let X denote the random variable describing the bit-string x, 
where wc understand the distribution Px of X to be conditioned on the fixed values of 9 and z. 
Furthermore, let be the state of B"s quantum register E after the preparation phase. Note 
that, still with fixed 9 and z, pE is of the form pE = X^^. Px{x)p%, where p% is the state of B"s 
quantum register in case X takes on the value x. In general, the pg's may be mixed, but we can 
think of them as being reduced pure states: = ^''^r{\'<^->%jii{iP%j^) for a suitable register R and 
pure states IV"!;/?); we then call the state per = -Ps:(a;)|V'|;R)(V'|;ijl ^ pointwise purification 
(with respect to X) oi pE- 
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Obviously, in case B' is honest, Xi is fully random whenever 6i 7^ 9i, so that Hoo{^X\i | X\j = 
x\j) = dH{9\i, 9\i) for every I C. {1, . . . , n} and every x\j, and B' does not store any non-trivial 
quantum state so that R is "empty" and Hq{per) = Hq{pe) = 0. A benign Bob B' is now 
specified to behave closc-to-honcstly in the preparation phase: he produces an auxiliary output 
9 after the preparation phase, and given this output, we are in a certain sense close to the ideal 
situation where Bob really measured in basis 9 as far as the values of H^{^X\i \X\j = x\j) and 
Hq{per) are concerned.^ We now make this precise: 

Definition 4.1 (Unconditional security against benign Bob). A BB84-type quantum pro- 
tocol n securely implements T against a /3-benign Bob for some parameter P > 0, if it securely 
implements T according to Definition 3. 3, with the following two modifications: 

1. The quantification is over all B' with the following property: after the preparation phase B' 

either aborts, or else produces an auxiliary output 9 G {+, x}". Moreover, the joint state 
of A, B' (after 9 has been output) is statistically indistinguishable from a state for which it 
holds that for any fixed values of 9, 9 and z, for any subset / C {1, . . . , n}, and for any x\j 

H^{X\i I X\j = x\j) > dH{9\i,9\i) - pn and Ho{per) < pn (1) 

where per is the pointwise purification of pE with respect to X. 

2. B"s running-time is polynomial in the running-time of B'. 

4.2 From Benign to Computational Security 

We show a generic compiler which transforms any BB84-type protocol into a new quantum 
protocol for the same task. The compiler achieves that if the original protocol is unconditionally 
secure against dishonest Alice and unconditionally secure against benign Bob, then the compiled 
protocol is still unconditionally secure against dishonest Alice and it is computationally secure 
against arbitrary dishonest Bob. 

The idea behind the construction of the compiler is to incorporate a commitment scheme 
and force Bob to behave benignly by means of a commit-and-open procedure. Figure 2 shows the 
compilation of an arbitrary BB84-type protocol U. The quantum communication is increased 
from ntom = n/(l — a) qubits, where < a < 1 is some additional parameter that can be 
arbitrarily chosen. The compiled protocol also requires 3 more rounds of interaction. 



Protocol C"(77) 

Preparation: A chooses x £r {0, l}"" and 6 £r {+, x}™ and sends \x)g to B. Then, B chooses 6 £r {+, x}"" 
and obtains x G {0, 1}'" by measuring \x)g in basis 9. 

Verification: 1. B commits to and x position-wise: 0,:= Commit ((^i, r;) with randomness for 
i = 1, . . . ,m. He sends the commitments to A. 

2. A sends a random test subset T C {1, • • • ,m} of size am. B opens Cj for all i € T, and A checks 
that the openings wore correct and that Xi = Xi whenever Oi = 6i. If all tests are passed, A accepts, 
otherwise, she rejects and aborts. 

3. The tested positions are discarded by both parties: A and B restrict x and 6, respectively 9 and x, 
to i€T. 

Post-processing: As in 11 (with x, 6, x and 9 restricted to the positions i GT). 



Fig. 2. Compiled protocol C"(77). 

The reason why we consider the pointwise purification of pE is to prevent Bob from artificially blowing up 
Ho{Per) by locally generating a large mixture or storing an unrelated mixed input state. 
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We need to specify what kind of commitment scheme to use. In order to preserve uncon- 
ditional security against dishonest Ahce, the commitment scheme needs to be unconditionally 
hiding, and so can at best be computationally binding. However, for a plain computation- 
ally binding commitment scheme, we do not know how to reduce the computational security 
of C"(7T) against dishonest Bob to the computational binding property of the commitment 
scheme.^ Therefore, wc use a commitment scheme with additional properties: wc require a 
keyed commitment scheme Commitpk, where the corresponding public key pk is generated by 
one of two possible key-generation algorithms: Qn or Q^. For a key pkH generated by Qn, the 
commitment scheme CommitpkH is unconditionally hiding, whereas the other generator, Q^, actu- 
ally produces a key pair (pkB, sk), so that the secret key sk allows to efhciently extract m from 
Commitp]jB(n^, r), and as such CommitpkB is unconditionally binding. Furthermore, we require pkH 
and pkB to be computationally indistinguishable, even against quantum attacks. We call such a 
commitment scheme a dual-mode commitment scheme. As a candidate for implementing such 
a system, we propose the public-key encryption scheme of Regev [Reg05], which is based on 
a worst-case lattice assumption and is not known to be breakable even by (efficient) quantum 
algorithms. Regev does not explicitly state that the scheme has the property we need, but this is 
implicit in his proof that the underlying computational assumption implies semantic security.^^ 

For simplicity and efficiency, we consider the common-reference-string model, and we assume 
the key pkB for the commitment scheme, generated according to Qb, to be contained in the CRS. 
We sketch in Section 5.4 how to avoid the CRS model, at the cost of a non constant-round 
construction where the parties generate the CRS jointly by means of a coin-tossing protocol 
(see [DL09] for details). 

We sometimes write Cp^^{n) for the compiled protocol C"{n) to stress that a key pkH 
produced by Qn is used for the dual-mode commitment scheme, and we write Cpy.-g{n) when a 
key pkB produced by Gb is used instead. 

Theorem 4.2. Let 11 be a BB84-type protocol, unconditionally secure against dishonest Alice 
and against j3-henign Boh for some constant P > 0. Consider the compiled protocol C"{n) for 
an arbitrary a > 0, where the commitment scheme is instantiated by a dual-mode commitment 
scheme as described above. Then, C^^II) is unconditionally secure against dishonest Alice and 
computationally secure against dishonest Bob in the CRS model. 

We now prove this theorem, which assumes noise-free quantum communication; we explain in 
Section 5.1 how to generalize it for a noisy quantum channel. Correctness is obvious. In order 
to show unconditional security against dishonest Alice, we notice that the unconditional hiding 
property of the commitment scheme ensures that dishonest Alice does not learn any additional 
information. Furthermore, as the ideal-life adversary A' is not required to be time-bounded 
by Definition 3.2, she can break the binding-property of the commitment scheme and thereby 
perfectly simulate the behavior of an honest Bob towards A attacking C"(iT). The issue of 
efficiency of the ideal-life adversaries is addressed in Section 5.3. 

As for computational security against dishonest Bob, according to Definition 3.4, we need 
to prove that for every real- world adversary B' G 55poiy attacking C°(i7), there exists a suitable 
ideal-world adversary B' G 55poiy attacking JT such that 

OUtf^ Q, « out^ g, . 

^ Classically, this would be done by a rewinding argument, but this fails to work for a quantum Bob. 
The notions of dual-mode crypto systems and of meaningful/meaningless encryptions, as introduced in [PVW08] 

and [KN08], arc similar in spirit but differ slightly technically. 

The proof compares the CEise where the public key is generated normally to a case where it is chosen with no 
relation to any secret key. It is then argued that the assumption implies that the two cases are computationally 
indistinguishable, and that in the second case, a ciphertext carries essentially no information about the message. 
This argument implies what we need. 
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First, note that by the computational indistinguishabihty of pkH and pkB, 



OUtf^ B' ~ ^'^''AB' ^"^^hB' ■ ("^) 

Then, we construct an adversary B'^ G ©poly who attacks the unconditional security against 
benign Bob of protocol iT, and which satisfies 

outi'^f^ = out^^ Q,^ , (3) 

where Aq honestly executes 77. We define in the following way. Consider the execution of 
C"(n) between A and B'. Wc split A into two players Aq and A, where we think of A as being 
placed in between Ao and B', see Figure 3. Aq plays honest Alice's part of 77 while A acts as 
follows: It receives n qubits from Aq, produces an/(l — a) random BB84 qubits of its own 
and interleaves them randomly with those received and sends the resulting m = n/(l — a) 
qubits to B'. It then does the verification step of C"(77) with B', asking to have commitments 
corresponding to its own qubits opened. If this results in accept, it lets Aq finish the protocol 
with B'. Note that the pair (Ao,A) does exactly the same as A; however, we can also move 
the actions of A to Bob's side, and define B^ as follows. B^ samples (pkB, sk) according to 
Qb and executes 77 with A by locally running A and B', using pkB as CRS. If A accepts the 
verification then B^ outputs 6 G {0, 1}"' (as required from a benign Bob), obtained by decrypting 
the unopened commitments with the help of sk; else, B^ aborts at this point. It is now clear 
that Equation (3) holds: exactly the same computation takes place in both "experiments" , the 
only difference being that they are executed partly by different entities. The last step is to show 
that 

o«*Ao,Bi ^ outf e' ' (4) 
for some B'. It is clear that the theorem follows from (2) - (4) together. 



Ao 



n 



C"(il) 



B' 



B' 



Fig. 3. Constructing an attacker B'^ against 77 from an attacker B' against C°'{n). 



Now (4) actually claims that A, B' successfully simulate Aq and B^ executing 77, and this 
claim follows by assumption of benign security of 77 if we show that B^ is /3-benign according 
to Definition 4.1 for any (3 > 0. We show this in the following subsection, i.e., the joint state 
of Ao, Bo after the preparation phase is statistically indistinguishable from a state p ideal which 
satisfies the bounds (1) from Definition 4.1. 

4.3 Completing the Proof: Bounding Entropy and Memory Size 

First recall that Ao executing 77 with B^ can equivalently be thought of as A executing Cp^^i^) 
with B'. Furthermore, a joint state of A, B' is clearly also a joint state of Ao, B'^. 

To show the existence of pideal as promised above, it therefore suffices to show such a state 
for A, B'. In other words, we need to show that the execution of C^^^i^) with honest Alice A 

and arbitrarily dishonest Bob B' will, after verification, be close to a state where (1) holds. To 
show this closeness, we consider an equivalent EPR-pair version, where Alice creates m EPR 
pairs (|00) + \11))/V2, sends one qubit in each pair to Bob and keeps the others in register 
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A. Alice measures her qubits only when needed: she measures the qubits within T in Step 2 
of the verification phase, and the remaining qubits at the end of the verification phase. With 
respect to the information Alice and Bob obtain, this EPR version is identical to the original 
protocol Cp^{n): the only difference is the point in time when Alice obtains certain informa- 
tion. Furthermore, we can also do the following modification without affecting (1). Instead of 
measuring her qubits in T in her basis 6\t, she measures them in Bob's basis 9\t', however, she 
still verifies only whether Xi = Xj for those i £ T with 9i = 9i. Because the positions i £ T with 
6i 7^ 6i are not used in the protocol at all, this change has no effect. As the commitment scheme 
is unconditionally binding if key pkB is used, Bob's basis 6 is well defined by his commitments 
(although hard to compute), even if Bob is dishonest. The resulting scheme is given in Figure 4. 



Protocol EPR-CpkB(i7) 

Preparation: A prepares rn EPR pairs and sends the second qubit in each pair to Bob while keeping the 
others in register A = Ai ■ ■ - Am- B chooses 9 €r {+, x}"* and obtains x e {0, 1}"* by measuring the 
received qubits in basis 9. 

Verification: 1. B commits to 9 and x position-wise: Cj : = Commit ((^j, £,), with randomness for 
i = 1, . . . , m. He sends the commitments to A. 

2. A sends a random test subset T C {!,..., m} of size am. B opens d for all i € T. A chooses 
9 (zR {+, x}™, measures registers Ai with i £ T in basis 9i to obtain Xi, and she checks that the 
openings were correct and that Xi — Xi whenever 9i — 9i for i £ T. If all tests are passed, A accepts, 
otherwise, she rejects and aborts the protocol. 

3. A measures the remaining registers in basis 9\f to obtain x\f. The tested positions are discarded by 
both parties: A and B restrict x and 9, respectively 9 and x, to the positions i € T. 

Post-processing: As in il (with x,9, x and 9 restricted to the positions i € T). 



Fig. 4. EPR version of C^^{n). 

We consider an execution of the scheme from Figure 4 with an honest Alice A and a dishonest 
Bob B', and we fix 9 and x, determined by Bob's commitments. Let {(fAs) £ 'Ha W^; be the 
state of the joint system right before Step 2 of the verification phase. Since in the end, we are 
anyway interested in the pointwise purification of Bob's state, we may indeed assume this state 
to be pure; if it is not, then we purify it and carry the purifying register R along with E. Clearly, 
if B' had honestly done his measurements then \(Pae) = \x)g (8> \ve) for some \<fE) £ 'He- In 
this case, the quantum memory E would be empty: HQ{\ipE){ipE\) = 0. Moreover, X, obtained 
by measuring A\f in basis 9\f, would contain dH{9\f,9\f) random bits. We show that the 
verification phase enforces these properties, at least approximately in the sense of (1), for an 
arbitrary dishonest Bob B'. 

In the following, rni', •) denotes the relative Hamming distance between two strings, i.e., 
the Hamming distance divided by their length. Recall that T C {1, . . . , m} is random subject to 
|T| = am. Furthermore, for a fixed 9 but a randomly chosen 9, the subset T' = {i e T : 9i = 9i} 
is a random subset (of arbitrary size) of T. Let the random variable Test describe the choice of 
test = (T, r') as specified above, and consider the state 

PTestAE = PTest ® \^Ae){<PAe\ = PTest{test)\test){test\ (g) \ipAE){^AE\ 

test 

consisting of the classical Test and the quantum state Iv'ae)- 

Lemma 4.3. For any e > 0, x £ {0, 1}™ and 9 G {+, x}™, the state pTestAE is negligibly close 
(in m) to a state 

PTestAE = ^PTest{test)\test){test\ (g) |<^aeX'^a^| 

test 
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where for any test = {T,T'): 

xeBtest 

for Bfgst = {x G {0, 1}"* I rH{x\f., x\f) < rH{x\Ti ■iX\ti) + e} and arbitrary coefficients a^* G C. 

In other words, we are close to a situation where for any choice of T and T' and for any 
outcome x\t when measuring A\'X' in basis 9\t, the relative error rH{x\T',x\T') gives an upper 
bound (which holds with probability 1) on the relative error rH{x\f^x\f) one would obtain by 
measuring the remaining subsystems Ai with i G T in basis 9i. 

Proof. For any test we let |<^5b) ^e the renormalized projection of \^ae) into the subspace 
span{|x)g \ x G B^est} ® "^E and let I'^^e"'") ^® renormalized projection of \ipAE) into the 
orthogonal complement, such that \ipAE) = etesA^^El + ^test\'f>^E^) with Si^t = {^^eWae) 
and e^^,( = {<f>^^'^\'~p ae) ■ By construction, jt^^^) is of the form required in the statement of the 
lemma. A basic property of the trace norm of pure states gives 



6{\^ae){^aeI W^Wae\) = - \{^aeWae)\^ = • 

This last term corresponds to the square root of the probability, when given test, to observe a 
string X ^ Bfgst when measuring subsystem A of |<^ae) in basis 9. Furthermore, using elementary 
properties of the trace norm and Jensen's inequality gives 



5{pTestAE,PTestAE) = ( ^ PTest{t(iSt) 5 [\ip AE){<f AeI\0^e){0^e\) 

■ test ' 

E Prestitest) \ei^t\j < X] Prestitest) |£^/ , 

■ test ' test 



where the last term is the probability to observe a string x Bmst when choosing test according 
to Prest and measuring subsystem A of |</'ae) in basis 9. This situation, though, is a classical 
sampling problem, for which it is well known that for any measurement outcome x, the proba- 
bility (over the choice of test) that x ^ Btest is negligible in m (see e.g. [Hoe63]). □ 

In combination with Lemma 2.3 on "small superpositions of product states", and writing h 

for the binary entropy function /i(^) = — (//log(^) + (1 — //) log(l — /x)) as well as using that 
\{y G {0, 1}" I dniy^y) < fin}] < 2'*('')" for any y G {0, 1}" and < /x < i, we can conclude the 
following. 

Corollary 4.4. Let pTestAE be of the form as in Lemma 4-3 (for given e, x and 9). For any 
fixed test = (T, T') and for any fixed x\t G {0, 1}°™ with err := rHix\T' ,x\t') < \, let \i1^ae) 
be the state to which |<^^e) collapses when for every i E T subsystem Ai is measured in basis 
9i and Xi is observed, where we understand A in {iPae) to be restricted to the registers Ai with 
i £ T. Finally, let cte = ^'<^Ai\'ipAE){'4'AE\) CLnd let the random variable X describe the outcome 
when measuring the remaining n = (1 — a)m subsystems of A in basis 9\f G {+, x}"-. Then, 
for any subset / C {1, . . . , n} and any xj//^ 



HooiX\i\X\j = x\j) > dHi9\i,9\i) — hierr + e)n and i?o(o'£;) < /i(erT + e) 



n . 



Thus, the number of errors between the measured x\ti and the given x\ti gives us a bound on 
the min-entropy of the outcome when measuring the remaining subsystems of A, and on the 
max-entropy of the state of subsystem E. 



Below, 6\i (and similarly 9\i) should be understood as first restricting the m-bit vector 9 to T, and then 
restricting the resulting n-bit vector 9\rp to I: 9\i := 
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Proof. To simplify notation, we write i? = 9\f and ■& = 6]^. By definition of pTestAE, for 
any fixed values of e,x, and 0, the state \tpAE) is of the form IV'Ab) = ^y^yoeylu)^ ® {"^e)^ 
where 3^ = {y G {0, 1}" : dniy , xlnp) < err + e}. Consider the corresponding mixture o'ae — 
X^yg^ ^ IV'eXV'eI and define X as the random variable for the outcome when 

measuring register A of uae in basis -d. Notice that Hao{X) > dH{'&,'&) since any state \y)^, 
when measured in basis produces a random bit for every position i with 'd ^ "d. Lemma 2.3 
allows us to conclude that Hoo{X) > Hoo{X) — log |3^| > dni'd, "!?) — h{err + e)n and Ho{aE) < 
log |3^| < h{err + e)n. This proves the claim for / = {1, . . . , n}. For arbitrary / C {1, . . . , n} 
and we can consider the pure state obtained by measuring the registers Ai with i / in 
basis "di when x\j is observed. This state is still a superposition of at most 13^1 vectors and thus 
we can apply the exact same reasoning to obtain (1). □ 

The claim to be shown now follows by combining Lemma 4.3 and Corollary 4.4. Indeed, the 
ideal state pideai we promised is produced by putting A and B' in the state pTestAE defined in 
Lemma 4.3, and running Steps 2 and 3 of the verification phase. This state is negligibly close 
to the real state since by Lemma 4.3 we were negligibly close to the real state before these 
operations. Corollary 4.4 guarantees that (1) is satisfied. 

5 Extensions and Generalizations 

5.1 In the Presence of Noise 

In the description of the compiler C° and in its analysis, we assumed the quantum communi- 
cation to be noise-free. Indeed, if the quantum communication is noisy honest Alice is likely to 
reject an execution with honest Bob. It is straightforward to generalize the result to noisy quan- 
tum communication: In Step 2 in the verification phase of C°(77), Alice rejects and aborts if the 
relative number of errors between Xi and Xi for i G T with 9i = Oi exceeds the error probability 
induced by the noise in the quantum communication by some small e' > 0. By Hoeffding's 
inequality [Hoe63], this guarantees that honest Alice does not reject honest Bob except with 
exponentially small probability. Furthermore, proving the security of this "noise-resistant" com- 
piler goes along the exact same lines as for the original compiler. The only difference is that 
when applying Corollary 4.4, the parameter err has to be chosen as err = 4> + s', so that (1) 
holds for P = h{err + e) = h{<p + e' + e) and thus the claim of Theorem 4.2 hold for any (3 > h{(p) 
(by choosing e, e' > small enough). This allows us to generalize the results from the Section 6 
to the setting of noisy quantum communication. 

5.2 Bounded-Quantum-Storage Security 

In this section we show that our compiler preserves security in the bounded-quantum-storage 
model (BQSM). In this model, one of the players (Bob in our case) is assumed be able to 
store only a limited number of qubits beyond a certain point in the protocol. BQSM-sccure OT 
and identification protocols are known [DFR+07,DFSS07], but they can be efficiently broken 
if the memory bound does not hold. Therefore, by the theorem below, applying the compiler 
produces protocols with better security, namely the adversary needs large quantum storage and 
large computing power to succeed. 

Consider a BB84-type protocol 11, and for a constant < 7 < 1, let 532qsm(-^) be the set 
of dishonest players B' that store only 777, qubits after a certain point in 11, where n is the 
number of qubits sent initially. Protocol IJ is said to be unconditionally secure against 7-BQSM 
Bob, if it satisfies Definition 3.3 with the restriction that the quantification is over all dishonest 
B' e 5S2qhm(^)- 

Theorem 5.1. If 11 is uncondMionally secure against ^f-BQSM Bob, thenC"(n) (for an < 
a < 1) is unconditionally secure against ^{l — a)-BQSM Boh. 
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Proof. Exactly as in the proof of Theorem 4.2, given dishonest Bob B' attacking C°'{n), we con- 
struct dishonest Bob attacking the original protocol il. The only difference here is that we let 
Bq generate the CRS "correctly" as pkH sampled according to t/H- It follows by construction of 
Bf, that ouff^^^^ = out^^ . Also, it follows by construction of B'^ that if B' G <B2qsm"^ (C"(i7)) 
then Bq G ^Zqsm {n) , since B^ requires the same amount of quantum storage as B' but communi- 
cates an a-fr action fewer qubits. It thus follows that there exists B' such that ouW « out-^ . 

^ Ao,tio A,B' 

This proves the claim. □ 



5.3 Efficient Simulation 

The security definitions we use here are clearly closely related to the UC-security concept in that 
they require a protocol to implement a certain functionality, and that this can be demonstrated 
via a simulation argument. However, our definitions do not imply UC-security. For this we would 
need all simulators to be efficient, and our definition of unconditional security against dishonest 
Alice does not require this (unlike the definition of computational security against Bob). 

Of course, it might still be the case that our compilation preserves efficiency of the simulator, 
namely if protocol U is secure against dishonest Alice with efficient simulator A', then so is 
C°(77). 

Although this would be desirable, it does not seem to be the case for our basic construc- 
tion: In order to show such a result, we would need to simulate the preprocessing phase against 
dishonest A' efficiently and without measuring the qubits that are not "opened during" prepro- 
cessing. Once this is done, we can give the remaining qubits to A' who can simulate the rest of 
the protocol. 

However, the whole point of the preprocessing is to ensure that Bob measures all qubits, 
unless he can break the binding property of the commitments, so the only hope is to bring 
the simulator in a situation where it can make commitments and open them any way it wants. 
The standard way to do this is to give the simulator some trapdoor information related to the 
common reference string, that Bob would not have in real life. Indeed, with such a trapdoor 
commitment scheme, simulation of the preprocessing is trivial: We just wait until Alice reveals 
the bases and the test subset, measure qubits in the test subset, and open the commitments 
according to the measurement results. 

While no such trapdoor is known for the commitment scheme we suggested earlier, it is 
possible to extend the construction efficiently to build in such a trapdoor: 

To do this, we need a new ingredient, namely a relation R representing a hard problem, and 
a i7-protocol for R. The relation is a set of pairs R = {{u,w)} where u can be thought of as 
a problem instance and w as the solution. The relation is hard if one can efficiently generate 
{u, w) & R such that from u one cannot in polynomial time compute w such that {u, w) G R. We 
need that R is hard even for quantum algorithms. We also need that there is a Z'-protocol, i.e. 
an honest verifier perfect zero-knowledge interactive proof of knowledge where a prover shows, 
on input u, that he knows w such that (n, w) G R. Protocol conversations have form (a, b, z) 
where the prover sends a, the verifier gives a random challenge bit b and the prover sends z. It 
is required that, given conversations (a, 0, zq), (a, 1, zi) that the verifier would accept, one can 
compute w such that {u, w) G R. 

As an example, one can think of n = (Go,Gi) where Gq,Gi are isomorphic graphs and 
w is an isomorphism. The S- protocol is just the well-known standard zero-knowledge proof 
for graph isomorphism. There are several plausible and practically more useful examples, see 
[DFS04]. 

Given this, and a commitment scheme with public key pkH as described above, we build a 
new commitment scheme as follows: the public key is n, pkH. To commit to a bit 6, the committer 
runs the honest verifier simulator to get a conversation (a, 6, z). The commitment is now a, cq, ci. 
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where = Cominit(2;, r) and ci_{, = Commit (0, r'). To open a commitment, one reveals b and 
opens Cf). The receiver checks that (a, b, z) is accepting and that C5 was correctly opened. 

By perfect honest verifier zero-knowledge and perfect hiding of commitments based on pkH, 
the new commitment is perfectly hiding. However, if one knows w such that {u, w) G R, one 
can compute (a, 0,2:0) and (a, l,zi) both of which are accepting conversations, and set cq = 
Commit(zo, ro), ci = Commit (zi, ri), and it is now possible to open both ways. Hence w serves 
as the trapdoor we need for efficient simulation above. 

The new commit scheme still has the property we need for the compilation, namely one can 
choose the public key in a different but indistinguishable way, such that the committed bit can 
be extracted: we let the public key be u, pkB, where pkB is a binding public key for our original 
scheme. Now, given a commitment (a, cq, ci), we can decrypt cq, ci to see which of them contains 
a valid reply in the i7-protocol. The only way we can fail to predict how the commitment can 
be opened is if both cq and ci contain valid replies. But this would imply that the committer 
can compute w, so for a polynomial-time bounded committer, this only happens with negligible 
probability, since the relation is assumed to be hard. 

5.4 Doing without a Common Reference String 

We can get rid of the CRS assumption by instead generating a reference string from scratch using 
a coin-flip protocol. In [DL09], such a coin-flip protocol is described and proved secure against 
quantum adversaries using Watrous' quantum rewinding method [Wat06]. Note that for our 
compiler, we want the CRS to be an unconditionally hiding public key, and when using Regev's 
cryptosystem, a uniformly random string (as output by the coin-flip) does indeed determine 
such a key, except with negligible probability. 

6 Applications 

6.1 Oblivious Transfer 

We discuss a protocol that securely implements one-out-of-two oblivious transfer of strings of 
length £ (i.e. 1-2 OT^). In 1-2 OT^, the sender A sends two Z-bit strings sq and si to the receiver 
B. B can choose which string to receive (s^) but does not learn anything about the other one 
(•^i-fc)- On the other hand, A does not learn B's choice bit k. The protocol is almost identical 
to the 1-2 OT^ introduced in [BBCS91], but uses hash functions instead of parity values to 
mask the inputs sq and si. The resulting scheme, called 1-2 QOT^, is presented in Figure 5, 
where denotes a suitable family of universal hash functions with range {0, 1}^ (as specified 
in [DFR+07]). We assume that £ = [AnJ for some constant A > 0. 



Protocol 1-2 QOT* : 

Preparation: A chooses x €r {0, 1}" and €h {-|-, x}" and sends \x)g to B, and B chooses 6 €r {0, 1}" and 

obtains x £ {0, 1}" by measuring \x)g in basis 9. 

Post-processing: 1. A scuds 9 to B. 

2. B partitions all positions 1 < i < n in two subsets according to his choice bit k £ {0, 1}: the "good" 
subset Ik ■= {i : 9i = 9i} and the "bad" subset 7i_fc := {i : 9i 7^ 9i}. B sends (/o,/i) to A. 

3. A sends descriptions of fo, fi €r T together with mo := sq © /o(a;|/o) and mi := S\ ® 

4. B computes Sfc = mfc ® /fc (a I /^). 



Fig. 5. Protocol for String OT. 
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Theorem 6.1. Protocol 1-2 QOT*^ is unconditionally secure against (3-henign Boh for any (3 < 
i _ A 

8 2 • 

Proof. Let J^Qjt be the ideal oblivious transfer functionality. For any given benign Bob B', we 
construct B' the following way. B' runs locally a copy of B' and simulates Alice by running A up 
to but not including Step 3. After the preparation phase, B' gets 6 since B' is benign. When the 
simulation of A reaches the point just after the announcement of /o and /i in Step 3, B' finds 
k' such that dH(O\iy,0\iy) is minimum for k' G {0,1}. B' then calls J^qj* with input k' and 
obtains output s^/. B' sets m^/ = Sk' ® fk'{x\iy) and m'^_f^, {0, 1}^ before sending (mo, mi) 
to B'. B' then outputs whatever B' outputs. 

We now argue that the state output by B' is statistically close to the state output by B' when 
executing 1-2 QOT^ with the real A. The only difference is that while B' outputs m'^_^, G/j {0, 1}^, 
B' outputs nii-k' = •si-fc' ® /i-*;'(^l-fi_fc/)- '^o conclude, we simply need to show that mi_fc' is 
statistically indistinguishable from uniform from the point of view of B'. Note that since 6 and 

9 are independent and is a uniform n-bit string, we have that for any e > 0, dnid^O) > 
(1 — e)n/2, except with negligible probability. It follows that with overwhelming probability 
dH{d\ij^_y,d\ij^_y) > (1 — e)n/4. Since B' is /3-bcnign, wc have that i?oo(-^|/^_;,, | -^l/^/ ~ ^l^') — 
(1 — e)n/4 — /3n and Hq{pe) < /3n which implies, from privacy amplification, that /i-fe'(a^|/i_j,/) 
is statistically indistinguishable from uniform for B' provided ^ < \ — 2/3 — e ioi any e > 0. We 
conclude that mi_fc/ is statistically close to uniform. □ 

By combining Theorem 6.1 with Theorem 4.2, and the results of [DFR+07] (realizing that 
the same analysis also applies to 1-2 QOT^) with Theorem 5.1, we obtain the following hybrid- 
security result. 

Corollary 6.2. Let < a < 1 and A < |. Then protocol C"' {1-2 QOT^) is computationally secure 
against dishonest Bob and unconditionally secure against j{l—a)-BQSM Bob with < \ — 2A. 

6.2 Password-Based Identification 

We want to apply our compiler to the quantum password-based identification scheme from [DFSS07]. 
Such an identification scheme allows a user A to identify herself to server B by means of a com- 
mon (possibly non-uniform and low-entropy) password w G W, such that dishonest A' cannot 
delude honest server B with probability better then trying to guess the password, and dishonest 
B' learns no information on A's password beyond trying to guessing it and learn whether the 
guess is correct or not. 

In [DFSS07], using quantum-information-theoretic security definitions, the proposed iden- 
tification scheme was proven to be unconditionally secure against arbitrary dishonest Alice 
and against quantum-memory-bounded dishonest Bob. In [FS09] it was then shown that these 
security definitions imply simulation-based security as considered here, with respect to the func- 
tionality {Fid given in Figure 6.^^ 



Functionality J^m: Upon receiving wa,wb £ W from user Alice and from server Bob, respectively, J^w 
outputs the bit y := {wa — wb) to Bob. In case Alice is dishonest, she may choose wa = -L (where _L ^ W). 
For any choice of wa the bit y is also output to dishonest Alice. 



Fig. 6. The Ideal Password-Based Identification Functionality. 

Actually, the definition and proof from [DFSS07] guarantees security only for a slightly weaker functionality, 

which gives some unfair advantage to dishonest A' in case she guesses the password correctly; however, as 
discussed in [FS09], the protocol from [DFSS07] does implement functionality Tm- 
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We cannot directly apply our compiler to the identification scheme as given in [DFSS07], 
since it is not a BB84-typc protocol. The protocol does start with a preparation phase in which 
Alice sends BB84 qubits to Bob, but Bob does not measure them in a random basis but in a 
basis determined by his password wb G W; specifically, Bob uses as basis the encoding c(w;b) 
of Wb with respect to a code c : W — > {+, x}" with "large" minimal distance. However, it 
is easy to transform the original protocol from [DFSS07] into a BB84-type protocol without 
affecting security: Wc simply let Bob apply a random shift k to the code, which Bob only 
announces to Alice in the post-processing phase, and then Alice and Bob complete the protocol 
with the shifted code. The resulting protocol QID is described in Figure 7, where and Q 
are suitable families of (strongly) universal hash functions (we refer to [DFSS07] for the exact 
specifications). It is not hard to see that this modification does not affect security as proven 
in [DFSS07] (and [FS09]). 



Protocol QID : 

Preparation: A chooses x £r {0, 1}" and 9 Gr {+, x}" and sends \x)g to B, and B chooses 9 Gr {0, 1}" and 
obtains x € {0, 1}" by measuring \x}g in basis 9. 

Post-processing: 1. B computes a string ft G {+, x}" such that 9 — c{w) ® k (we think of + as and x as 
1 so that ® makes sense). He sends k to A and we define c'{w) ■= c{w) ® k. 

2. A sends and / €r T to B. Both compute /,„ := {i : 0i = c'(w)i}. 

3. B sends g £r Q. 

4. A sends z := f{x\i„ ) ® g(w) to B. 

5. B accepts if and only ii z = f{x\i^) ® g{w). 



Fig. 7. Protocol for Secure Password-Based Identification 



Theorem 6.3. // the code c : W ^ {+, x}*^ can correct at least 6n errors in polynomial-time 
for a constant 5, then protocol QID is unconditionally secure against ^-benign Bob for any /? < |. 

Proof. For any given benign Bob B', we construct B' as follows. B' runs locally a copy of B' and 
simulates Alice's actions by running A faithfully except for the following modifications. After 
the preparation phase, B' gets 9 and k from B' and attempts to decode 9 ® k. If this succeeds, 
it computes w' such that c{w') is the decoded codeword. Otherwise an arbitrary w' is chosen. 
Then, B' submits w' as Bob's input wb to J^m and receives output y G {0, 1}. If y = 1 then B' 
faithfully completes A's simulation using w' as w; else, B' completes the simulation by using a 
random z' instead of z. In the end, B' outputs whatever B' outputs. 

We need to show that the state output by B' (respectively B') above is statistically close to 
the state output by B' when executing QID with real A. Note that if w' = wa, then the simulation 
of A is perfect and thus the two states are equal. If w' / wa then the simulation is not perfect: 
the real A would use z = f{x\i^^) g{wA) instead of random z'. It thus suffices to argue that 
f{x\i^) is statistically close to random and independent of the view of B' for any fixed w ^ w'. 
Note that this is also what had to be proven in [DFSS07], but under a different assumption, 
namely that B' has bounded quantum memory, rather than that he is benign; nevertheless, we 
can recycle part of the proof. 

Recall from the definition of a benign Bob that the common state after the preparation phase 
is statistically close to a state for which it is guaranteed that H^{X\i) > dHi9\i,9\i) — f3n for 
any 7 C {!,... ,n}, and Hq{per) < f3n. By the closeness of these two states, switching from 
the real state to the "ideal" state (which satisfies these bounds) has only a negligible effect on 
the state output by B'; thus, we may assume these bounds to hold. 

Now, if decoding oi 9 ® k succeeded, it is at Hamming distance at most 5n from c{w'). 
Since the distance from here to the (distinct) codeword c{w) is greater than 2(5n, we see that 
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^ K is at least 5n away from c{w). The same is true if decoding failed, since then ^ k is at 

least 5n away from any codeword. It follows that c'{w) = c{w) © k has Hamming distance at 
least 8n from 6. Furthermore, for arbitrary e > and except with negligible probability, the 
Hamming distance between 6\i^ = c'{w)\i^ and 6\i^ is at least essentially {6/2 — £)n. Therefore, 
we can conclude that Hoo{X\i^) > {5/2 — e — f3)n and Hq{per) < Pn. But now, if such bounds 
hold such that Hoo{X\j^) — Hq{per) is positive and linear in n, which is the case here by the 
choice of parameters, then we can step into the proof from [DFSS07] and conclude by privacy 
amplification [RK05] that z is close to random and independent of E. This finishes the proof. □ 

By combining Theorem 6.3 with Theorem 4.2, and the results of [DFSS07] with Theorem 5.1, 
we obtain the following hybrid-security result. 

Corollary 6.4. Let < a < 1 and \W\ < 2^^". // the code c : W ^ {+, x}" can correct 6n 

errors for a constant 6 > in polynomial-time, then protocol C"(QID) is computationally secure 
against dishonest Boh and unconditionally secure against j{l — a)-BQSM Bob with j < ^ — u. 

Families of codes as required in these results, correcting a constant fraction of errors eflaciently 
and with constant information rate are indeed known, see [SS96]. 

In the next section, we briefly discuss how to obtain hybrid security against man-in-the- 
middle attacks by means of incorporating the techniques used in [DFSS07] to obtain security in 
the BQSM against such attacks. 

6.3 Protecting against Man-in-the-middle Attacks 

The compiled quantum protocols from Sections 6.1 and 6.2 protect against (arbitrary) dishonest 
Alice and against (computationally or quantum-storage bounded) dishonest Bob. However, in 
particular in the context of identification, it is also important to protect against a man-in-the- 
middle attacker, Eve, who attacks an execution of the protocol with honest parties A and B 
while having full control over the classical and the quantum communication. Both, QID and 
C"(C)ID), are insecure in this model: Eve might measure one of the transmitted qubits, say, in 
the -I- -basis, and this way learn information on the basis 6i used by B and thus on the password 
w simply by observing if B accepts or rejects in the end. 

In [DFSS07] it was shown how to enhance QID in order to obtain security (in the bounded- 
quantum-storage model) against man-in-the-middle attacks. The very same techniques can also 
be used to obtain hybrid security against man-in-the-middle attacks for C°(C|ID). The techniques 
from [DFSS07] consist of the following two add-on's to the original protocol. (1) Checking of 
a random subset of the qubits in order to detect disturbance of the quantum communication; 
note that C"(QID) already does such a check, so this is already taken care of here. And (2) 
authentication of the classical communication. This requires that Alice and Bob, in addition to 
the password, share a high-entropy key k that could be stored, e.g., on a smart-card. This key 
will be used for a so-called extractor MAC which has the additional property, besides being a 
MAC, that it also acts as an extractor, meaning if the message to be authenticated has high 
enough min-entropy, then the key-tag pair is close to randomly and independently distributed. 
As a consequence, the tag gives away (nearly) no information on k and thus k can be re-used 
in the next execution of the protocol. 

Concretely, in order to obtain hybrid-security against man-in-the-middle attacks for C"(C]ID), 
A will, in her last move of the protocol, use an extractor MAC to compute and send to B an 
authentication tag, computed on all the classical messages exchanged plus the string x\i^. 
This tag, together with the qubit checks, prevents Eve from interfering with the (classical 
and quantum) communication without being detected, and security against Eve essentially 

This is in contrast to the standard way of authenticating the classical communication, where the authentication 
key can only be used a bounded number of times. 
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follows from the security against impersonation attacks. Note that including the xl/^ into the 
authenticated message guarantees the necessary min-entropy, and as such the re-usability of the 
key k. 

We emphasize that the protocol is still secure against impersonation attacks (i.e. dishonest 
Alice or Bob) even if the adversary knows k. We omit formal proofs since they literally follow 
the corresponding proofs in [DFSS07] . 
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A Sequential Composition Theorem for Computational Security 

In this appendix, we show that our new Definition 3.4 of computational security allows for 
sequential composability in a classical environment. In order to state the composition theorem, 
we need to define what we mean by running a quantum protocol in a classical environment. 
Again, we give here a brief summary of the setting from [FS09] and refer the interested reader 
to the original article for further details. 

A classical two-party oracle protocol^^ _ (A, B) between Alice and Bob is a pro- 

tocol which makes a bounded number k of sequential oracle calls to possibly different ideal 
functionalities Ti,. . . ,Te- 

For the oracle protocol to be classical, we mean that it has classical in- and output (for the 
honest players), but also that all communication between Alice and Bob is classical. Consider 
a dishonest player, say Bob, and consider the common state PUjV! ^.t any point during the 
execution of the oracle protocol when a call to functionality JTj is made. The requirement for 
the oracle protocol to be classical is now expressed in that there exists a classical Zj — to be 
understood as consisting of B"s classical communication with A and with the J-'i'^s up to this 
point — such that given Zj, Bob's quantum state Vj is not entangled with Alice's classical input 
and auxiliary information: Pu-z^v' — PUj^Zj^V- Furthermore, we require that we may assume 
Zj to be part of V- in the sense tfiat for any B' there exists B" such that Zj is part of V-. This 
definition is motivated by the observation that if Bob can communicate only classically with 
Alice, then he can entangle his quantum state with information on Alice's side only by means 
of the classical communication. 

We also consider the protocol we obtain by replacing the ideal functionalities by quantum 
two-party sub-protocols tti, . . . , vr^ with classical in- and outputs for the honest parties: whenever 
j^T\---Ti instructs A and B to execute Ti^^ g, they instead execute TTj and take the resulting 
outputs. We write = (A, B) for the real quantum protocol we obtain this way. 

We recall that in order to define computational security against a dishonest Bob in the 
common-reference-string model, we considered a polynomial-size quantum circuit, called input 
sampler, which takes as input the security parameter m and the CRS to (chosen according 
to its distribution) and which produces the input state puzv'i U is Alice's classical input to 
the protocol, and Z and V' denote the respective classical and quantum information given 
to dishonest Bob. We require from the input sampler that pijzv = Pu^z^V'^ i-C-, that V' is 
correlated with Alice's part only via the classical Z. When considering classical hybrid protocols 
jjm-i^i in tjjg j.gai world, where the oracle calls are replaced with quantum protocols using a 
common reference string, it is important that every real protocol tTj uses a separate instance (or 
part) of the common reference string which we denote by Wj. 

In [FS09], the more standard term hybrid protocol is used, but as this term is used differently in this paper, 

we avoid it here in the context of composability. 

We do not explicitly require the internal computations of the honest parties to be classical. 
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Theorem A. 1 (Sequential Composition). Let E-'^'^'"-^^ = (A, B) he a classical two-party 
oracle protocol which makes at most k = poly{n) oracle calls to the functionalities, and for 
every i G {!,...,£}, let protocol iTi be a computationally secure implementation of Ti against 

35poly • 

Then, for every real-world adversary B' G Spoiy who accesses the common reference string 
Lo = L0i,...,L0k there exists an ideal-world adversary B' G ©poly who does not use lo such 
that for every efficient input sampler, it holds that the outputs in the real and ideal world are 
q-indistinguishable, i.e. 

OUtf^ Q, ^ out^ ^, 

Note that we do not specify what it means for the oracle protocol to be secure; Theorem A.l 
guarantees that whatever the oracle protocol achieves, an indistinguishable output is produced 
by the real-life protocol with the oracle calls replaced by protocols. But of course in particular, 
if the oracle protocol is secure in the sense of Definition 3.4, then so is the real-life protocol: 

Corollary A. 2. If S^^ -^'^ is a computationally secure implementation ofQ against ^Bpoiy, and 
if TTi is a computationally secure implementation of J^i against Spoiy for every i G {!,...,£}, 
then E'"'^"""^ with at most k = poly{n) oracle calls is a computationally secure implementation 
of Q against S^poiy • 

The following proof is an adaptation of the sequential-composability proof in the information- 
theoretical setting given in [FS09]. 

Proof (of Theorem A.l). Consider a dishonest B' G 53poiy We prove the claim by induction on 
k. If no oracle calls arc made, we can set B' := B' and the claim holds trivially. Consider now 
a protocol E-^^'"-^^ with at most fc > oracle calls. For simplicity, we assume that the number 
of oracle calls equals A;, otherwise we instruct the players to makes some "dummy calls". Let 
PUuZuV be the common state right before the fc-th and thus last call to one of the sub-protocols 
TTi, . . . , vr^ in the execution of the real protocol To simplify notation in the rest of the 

proof, we omit the index k and write Pqzv' instead; see Figure 8. We know from the induction 
hypothesis for A; — 1 that there exists an ideal- world adversary B' G ©poly not using the common 

q 

reference string such that Pijzv' ~ ^Uzv' where cr^zv' is the common state right before the A;-th 
call to a functionality in the execution of the oracle protocol E'^^^^'^^ puzv' ■ As described at the 

begin of this section, U and Z, V' are to be understood as follows. U denotes A's (respectively 
A's) input to the sub-protocol (respectively functionality) that is to be called next. Z collects 
the classical communication dictated by Z'-^i - '-^'f as well as B"s classical inputs to and outputs 
from the previous oracle calls and V' denotes the dishonest player's current quantum state. 
Note that the existence of Z is guaranteed by our formalization of classical oracle protocols and 

'^uzV — ^u^z^v'- 

Let be the common reference string used in protocol tTj. For simplicity, we assume that 
the index i, which determines the sub-protocol tt^ (functionality Ti) to be called next, is fixed 
and we just write vr and T for vrj and Ti^ respectively. 

It follows from Definition 3.4 of computational security that there exists B' G ^Bpoiy (in- 
dependent of the input state) not using such that the corresponding output states Oxzy' 
and Txzyi produced by T-f^ g, (as prescribed by the oracle protocol) and 7rA,B' run on the state 
^VZV' — '^V^Z^V' ^'^^ q-indistinguishable. 

The induction step is then completed as follows. 

OUif B, = PxZY' = {'^ A,B') PUZV' {'"^A,B')crijzV' = ^XZY' ^ ^XZY' = '^'"*A,B' 

Note that the strategy of B' does not depend on the state o'fjzy/, and hence, the overall ideal- 
world adversary B' does not depend on the input state either. Furthermore, the concatenation 
of two polynomially bounded players is polynomially bounded, i.e. B' G 58poiy 

□ 
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Fig. 8. Steps of the Composability Proof 
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